Object Security – Object Manager

As promised, I’m going to explain some other topics relating to Objects and the Object Manager.

When a process is created, and then wishing to use the object, either through opening a handle or using a pointer (reserved for kernel), then it must inform the Object Manager of which access rights it wishes to acquire. For example, opening a handle to a file object (can be a storage device), it may wish to read or write to that device. If so, the Object Manager will need to call the Security Reference Monitor, and show the desired access rights of the process, if the object’s security descriptor permits these access rights, then the process gains a granted access rights.

We can view the access rights of a object using WinObj, ensure your running the program as a Administrator, by clicking File and and then Run As Administrator.

Here is an example of using a Object directory, and then viewing it’s security access rights. Right-Click the Object Type/Directory, and then select Properties.

We can view the Security Descriptor of a object using WinDbg, I’m using a process object in this example:

Enter the !process extension, to obtain the address of the process object, to be used with the !object extension.

Now, use the !object extension with the address of the process object, this will give us the address of the Object Header data structure, which will contain the Security Descriptor field, which in turn will contain the address of the Security Descriptor to be used with the !sd extension.

Use !sd extension with the address in the Security Descriptor field to obtain all the Security Descriptor information. Since, the !sd extension didn’t work in my Kernel Memory dump, I’ve taken the example from the WinDbg documentation.

I’m unlikely to be able to explain every detail of how Security Descriptors are formed, and all the internals of Object Security, since it’s a wide topic for a blog post.

I’ll explain some of the fields for the !sd extension:

Revision: Version of the SRM (Security Reference Monitor) security model. 

Flags: Characteristics of the security descriptor.

Owner: Owner SID, or security ID.

Group: Group SID for primary group for the object.

The flags which are currently set are:

SE_DACL_PRESENT: Indicates that the security descriptor has a discretionary access control list present (DACL), which shows who has access to that object. If this flag is not set or NULL, then everyone has full access to that object.

SE_SELF_RELATIVE: Indicates that the security descriptor has all the security information in one continuous block of memory (most likely a array).

We can also view security descriptor information in Process Explorer.


About 0x14c

I'm currently a Software Developer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Windows Internals. Bookmark the permalink.

One Response to Object Security – Object Manager

  1. VnSpl0it says:

    Great, Thanks !


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s